RE: [squid-users] Squid + WCCP + TProxy

From: Roth, Joe <jroth_at_binghamton.edu>
Date: Tue, 3 Nov 2009 07:52:23 -0500

So I may have an iptables problem...

This is what I get in dmesg when I put in my iptables rules:

376.170216] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 376.272658] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
[ 376.272673] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.

These are the iptables rules that I am using, copied straight from the wiki:

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

I also do the following:

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

Am I missing a step? I would suspect that after I do all of this I would at least see some packets hitting the box on 3129.

Thanks,

--Joe

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
Sent: Monday, November 02, 2009 8:52 PM
To: Roth, Joe
Cc: Amos Jeffries; squid-users_at_squid-cache.org
Subject: RE: [squid-users] Squid + WCCP + TProxy

mån 2009-11-02 klockan 09:23 -0500 skrev Roth, Joe:
> I compiled 3.1.0.14 with the --enable-linux-netfilter option and
> installed.

> Is there any way for me to check that squid is properly enabling the
> kernel option?

The needed kernel option is enabled by iptables, not Squid.

The compile + http_port options just tells Squid to query the kernel a
little extra to get the actual address info. The actual intercept will
work even without any of that, just that the result may not be entirely
the expected..

REgards
Henrik
Received on Tue Nov 03 2009 - 12:52:25 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 03 2009 - 12:00:02 MST